Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Data Privacy Management

International Workshop on Autonomous and Spontaneous Security

DPM 2012, SETOP 2012: Data Privacy Management and Autonomous Spontaneous Security pp 187–200Cite as

Analyzing HTTP User Agent Anomalies for Malware Detection

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7731))

Abstract

This paper analyzes User Agent (UA) anomalies within malware HTTP traffic and extracts signatures for malware detection. We observe, within a large set of malware HTTP traffic provided by a local AV company, that almost one malware out of eight uses a suspicious UA header in at least one HTTP request. Such anomalies include typos, information leakage, outdated versions, and attack vectors such as XSS and SQL injection. Nowadays UA anomalies are still manually analyzed, whereas thousands of new malware samples are collected daily. On the other hand, just blacklisting unusual UA strings is not viable because malware developers may use random values or encode variable patterns. This paper automatically classifies UA anomalies and extracts signatures for malware detection. Our approach is implemented on top of network-based detection systems. We extracted signatures from an overall set of 100 thousand malware samples, and we tested these signatures on real-world malware traffic. Experimental results show that our solution detects unknown malware by the time of extracting our signatures.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Symantec: Internet security threat report (istr) - 2011 trends (April 2012)

    Google Scholar 

  2. Falliere, N., Murchu, L.O., Chien, E.: W32.stuxnet dossier. Technical report, Symantec Response Team (2011)

    Google Scholar 

  3. sKyWIper Analysis Team: skywiper (a.k.a. flame a.k.a. flamer): A complex malware for targeted attacks. Technical report, Laboratory of Cryptography and System Security (CrySyS Lab) (May 2012)

    Google Scholar 

  4. Kane, P.O., Sezer, S., McLaughlin, K.: Obfuscation: The hidden malware. IEEE Security & Privacy 9, 41–47 (2011)

    Google Scholar 

  5. Dagon, D., Gu, G., Lee, C.P., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23rd Annual Computer Security Applications Conference (2007)

    Google Scholar 

  6. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (2006)

    Google Scholar 

  7. Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: Network traffic analysis of malicious software. In: Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Salzburg (2011)

    Google Scholar 

  8. Gu, G., Zhang, J., Lee, W.: Botsniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)

    Google Scholar 

  9. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)

    Google Scholar 

  10. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (2008)

    Google Scholar 

  11. Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: USENIX Symposium on Networked Systems Design and Implementation (2010)

    Google Scholar 

  12. Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically Generating Models for Botnet Detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232–249. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  13. Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.: Misleading worm signature generators using deliberate noise injection. In: Proceedings of the IEEE Symposium on Security and Privacy (SSP) (2006)

    Google Scholar 

  14. abuse.ch: Kelihos back in town using fast flux. Malware & Virus Analysing (March 2012)

    Google Scholar 

  15. Arbor Networks: Anatomy of a botnet - how the arbor security engineering & response team discovers, analyzes and mitigates ddos attacks. White paper

    Google Scholar 

  16. Fielding, R., Irvine, U., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol. Request for Comments: 2616 (1999)

    Google Scholar 

  17. Manners, D.: The user agent field: Analyzing and detecting the abnormal or malicious in your organization. In: SANS Institute Reading Room Site (2012)

    Google Scholar 

  18. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  19. Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Network and Distributed System System Security Symposium (2009)

    Google Scholar 

  20. Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: Picking command and control connections from bot traffic. In: 20th USENIX Security Symposium (2011)

    Google Scholar 

  21. Li, Z., Sanghi, M., Chen, Y., Yang Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: IEEE Symposium on Security and Privacy (2006)

    Google Scholar 

  22. Yegneswaran, V., Giffin, J.T., Barford, P., Jha, S.: An architecture for generating semantic-aware signatures. In: USENIX Security Symposium (2005)

    Google Scholar 

  23. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security and Privacy (2005)

    Google Scholar 

  24. Spillmann, B., Neuhaus, M., Bunke, H., Pękalska, E.Z., Duin, R.P.W.: Transforming Strings to Vector Spaces Using Prototype Selection. In: Yeung, D.-Y., Kwok, J.T., Fred, A., Roli, F., de Ridder, D. (eds.) SSPR&SPR 2006. LNCS, vol. 4109, pp. 287–296. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  25. Bieganski, P., Ned, J., Cadis, J.V.: Generalized suffix trees for biological sequence data: applications and implementation. In: Proceedings of the Twenty-Seventh Hawaii International Conference on System Sciences, vol. 5, pp. 35–44 (1994)

    Google Scholar 

  26. Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Botnet Detection. Springer (2008)

    Google Scholar 

  27. Microsoft: Forefront threat management gateway, http://www.microsoft.com/en-us/server-cloud/forefront/threat-management-gateway.aspx

Download references

Author information

Authors and Affiliations

  1. Orange Labs, 38-40 rue du Général Leclerc, 92794, Issy-Les-Moulineaux, France

    Nizar Kheir

Authors
  1. Nizar Kheir
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Università degli Studi Roma Tre, Largo San Leonardo Murialdo, 1, 00146, Rome, Italy

    Roberto Di Pietro

  2. Universitat Politècnica de Catalunya, c. Jordi Girona 1-3, 08034, Barcelona, Spain

    Javier Herranz

  3. Università degli Studi di Milano, Via Bramante, 65, 26013, Milan, Italy

    Ernesto Damiani

  4. University of Luxembourg, rue Alphonse Weicker, 4, 2721, Luxembourg, Luxembourg

    Radu State

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kheir, N. (2013). Analyzing HTTP User Agent Anomalies for Malware Detection. In: Di Pietro, R., Herranz, J., Damiani, E., State, R. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2012 2012. Lecture Notes in Computer Science, vol 7731. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35890-6_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-35890-6_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-35889-0

  • Online ISBN: 978-3-642-35890-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation